Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
The WebGPU component in Firefox improperly checks boundary conditions when processing graphics operations. The error classified as CWE-703 indicates improper handling of exceptional or abnormal states, which leads to violation of sandbox environment isolation. An attacker can exploit this vulnerability over the network, without the need to have privileges or engage user actions.
Successful exploitation of the vulnerability allows an attacker to escape from the isolated sandbox environment of the browser, which may lead to taking control of the system — complete violation of confidentiality, integrity and availability of data.
Mozilla Firefox should be updated to version 145 or later and Mozilla Thunderbird to version 145 or later. Patches were released by the vendor according to the references: mfsa2025-87 (Firefox) and mfsa2025-90 (Thunderbird).
Mozilla Firefox in versions prior to 145 and Mozilla Thunderbird in versions prior to 145.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 145.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...